tech

Need to know:

  • Technology has changed how organisations share and store personal data. It is no wonder that the General Data Protection Regulation seeks to bring data privacy into the 21st century.
  • Employers should not underestimate the complexity of the regulation and should start preparing now.
  • Employment contracts and agreements with benefits providers will be two key areas to review, with the help of expert advisers.

In many ways, 1998 was another time entirely; a pre-smartphone age of paper files, post, and appointments that were written in a diary. Yet 1998 is when the Data Protection Act (DPA) came into effect.

Fast forward almost 20 years, and the nature of personal information has changed completely. Data is overwhelmingly stored electronically and computer databases make it easy to keep more of it than ever before. Types of data which did not exist 20 years ago are now ever-present; the IP address is the new postcode and cookies are no longer simply delicious baked goods.

This has had profound implications for employers. Ruth Christy, an employment professional support lawyer at Blake Morgan, says: “Where years ago, HR teams might have been considering only a personnel file, now they will also have to consider the wide range of digital information held on employees, including activity on work IT systems, mobile devices, vehicles, significant advances in CCTV and wearable technology. In many cases, employees (and employers) could be completely unaware of the breadth of information the employer holds and how it is used."

With so much data on file, a cyber hack or accidental data breach could have severe consequences. It is no wonder that the European Union (EU) has decided to act to bring the way that organisations keep and share personal data into the modern age.

The General Data Protection Regulation (GDPR) is an EU-wide law on data protection which comes into force on 25 May 2018. It aims to improve data privacy, while simultaneously ensuring that employers tell their staff exactly what information they keep on file and how it is handled.

Brexit is unlikely to affect the implementation of GDPR in the UK. “Even when the UK leaves the EU in 2019, UK law on data protection is expected to continue to be the same or very similar to the GDPR, so that we are able to continue business relationships with organisations in other EU countries where compliance will still be mandatory,” explains Christy.

In August 2017, the government issued a statement of intent for a new Data Protection Bill, which was first announced in the Queen's Speech in June 2017. The government confirmed that the new bill will ensure features included in GDPR are translated into UK law successfully.

Implications for employers

Employers should underestimate GDPR at their peril. Its implications are far-reaching, as Ian Hodson, head of reward at the University of Lincoln, has discovered (see case study). Indeed, two-thirds (66%) of employers are hiring permanent employees to cope with GDPR, according to August 2017 research by recruiter Robert Half UK.

The pressure is intensified by the risk of a hefty fine. Andrew Kimble, partner at law firm Bond Dickinson, says: “At present, organisations can be fined up to £500,000 for a serious breach of the DPA. However, under the GDPR maximum penalties for breaches of its requirements are €20 million, or 4% of an undertaking's worldwide annual turnover if higher. The potentially severe penalties for breaches of the GDPR mean that data protection compliance should now be seen as a key compliance issue for all employers.”

What should employers do now?

GDPR will affect any organisation that stores data. As a result, employers must examine how it will affect their business. Simultaneously, the expert suppliers that employers entrust with third-party data must make sure their houses are in order. These include employee benefits providers, lawyers, pension providers, and many more. Third parties can hold a lot of information about employees; benefits platforms might hold sensitive healthcare data, while pension providers might hold information about how employees’ savings are invested, for instance.

The first step to getting compliant with GDPR is for an employer to assess what data it currently holds and how it holds it. “An audit is the starting point to be able to comply with new, stricter GDPR rules, so that [an employer] can find out what paper information is being hoarded around [its] offices outside of HR teams, in addition to central personnel files and what's held electronically,” says Christy.

Two key follow-on steps are likely to arise, both of which might mean seeking legal advice. The first is a review of the way that existing staff and future hires agree to share their information with the employer. Kimble says: “[GDPR] will require a move away from relying on employment contracts towards comprehensive and clearly drafted privacy notices.”

For instance, at present, employers often include a clause in employment contracts asking staff to agree to their data being shared with third parties in order to provide them with benefits. This will become less frequent in future.

Why? Starting a new job is a big deal, and employees might not want to rock the boat by raising objections to the way their data is handled. Tacitly including a data clause in an employment contract could be seen as applying undue pressure on an individual to give their consent to data sharing, says Mark Simmonds, technical consultant at Willis Towers Watson. Employees are likely to have to actively opt in to employee benefits platforms in future, rather than being enrolled automatically when they start a new job.

In future, employers will have to tell their staff what information they hold and use, the lawful basis for holding and using it, and their rights under GDPR, such as the right to be forgotten, explains Christy. Employers are likely to need to issue privacy notices to existing and new staff.

Christy adds: “Employers [that] already comply with the DPA are likely to have already provided their staff with much of the required information, but they will still need to review all the information they hold and give staff specified information not previously required under the DPA.”

The second follow-on step is to check that benefits providers have been through the same process and revisit each contractual agreement, says Sheilah Mackie, commercial partner at Blake Morgan. “Employers and trustees will need to ensure that any personal data of staff which is outsourced to ‘data processors’, for example, third parties such as payroll providers, benefits providers et cetera, is sufficiently protected by new or revised GDPR-compliant contractual arrangements," Mackie says.

Finally, public bodies and employers that handle sensitive information on a large scale will be required to appoint a data protection officer (DPO). “While most employers will not need to appoint DPOs, those that do may face some HR challenges. These may arise if they already have employees working in a similarly titled role. This might mean needing to consult on changes to that person's job role to encompass the DPO responsibilities or on changing their title if that person cannot be the DPO. Because of the requirement for the DPO to be independent, he or she cannot be involved in the actual processing of data so this issue may well arise,” says Kimble.

What is the difference between a data processor and a data controller?

Employers would typically be data controllers, says Mark Simmonds, technical consultant at Willis Towers Watson. "They would have data for their workforce and say to an insurer, ‘we want you to provide a quote for a group risk policy,’ say. So, they are the controller and responsible in terms of potentially getting consent to process that data. They instruct the processor, who will then process that data to provide that quotation but they are doing that under license from the controller.”

There are tighter obligations on how data controllers use data than data processors, explains Simmonds. In closely collaborative relationships, employers and their advisers might be joint data controllers. “There will be a lot of risk assessment and analysis to find out what data is held, how it’s being held, decisions about whether that organisation is deemed a controller or processor.”

Read more:

How the University of Lincoln is preparing for the General Data Protection Regulation (GDPR)

Julie Hodgskin: Payroll and the General Data Protection Regulation